BESA: Extending Bugs Triggered by Runtime Testing via Static Analysis

BESA: Extending Bugs Triggered by Runtime Testing via Static Analysis

연구 분야: Verification

학회: EuroSys '25: Proceedings of the Twentieth European Conference on Computer Systems

Due to limited test cases and execution scenarios, runtime testing often has insufficient code coverage and thus misses many real bugs. To tackle this problem, we propose a novel idea that static analysis of the triggered bug in runtime testing can help extend and detect extra bugs missed by runtime testing. Based on this idea, we develop a new approach named BESA, which can extend null-pointer dereferences found by runtime testing via static analysis. It first collects trace information about the triggered bug in runtime testing, by monitoring PoC (Proof of Concept) execution or analyzing existing failure log. Then, with this trace information, BESA uses a backward propagation analysis based on the call stack of the triggered bug, to effectively identify source variables propagating problematic value to the buggy variable. Finally, according to each source variable, BESA uses a summary-based alias-aware analysis to efficiently track target variables aliased with the buggy variable for detecting extra bugs. We have evaluated BESA on 25 known null-pointer dereferences found by runtime testing in four popular programs (SQLite, VIM, GPAC and Linux kernel). BESA finds 57 extra bugs, and 18 of them are new bugs that have been confirmed.